{"id":12429,"date":"2023-06-12T07:03:25","date_gmt":"2023-06-12T07:03:25","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/"},"modified":"2023-07-26T04:37:32","modified_gmt":"2023-07-26T04:37:32","slug":"practical-linux-rootkits-hitb2023hkt","status":"publish","type":"product","link":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/","title":{"rendered":"Practical Linux Rootkits for Red and Blue Team with PurpleLabs"},"content":{"rendered":"<div class=\"page\" title=\"Page 3\">\r\n<div class=\"page\" title=\"Page 3\">\r\n<h4><strong><span style=\"color: #993300\">ATTEND IN-PERSON<\/span>: Onsite in Phuket<\/strong><\/h4>\r\n<h4><strong>DATE: 21-23 August 2023<\/strong><\/h4>\r\n<\/div>\r\n<h4><strong>TIME: 09:00 to 17:00 ICT\/GMT+7<\/strong><\/h4>\r\n<table style=\"height: 146px\" width=\"599\">\r\n<tbody>\r\n<tr>\r\n<td><strong>Date<\/strong><\/td>\r\n<td><strong>Day<\/strong><\/td>\r\n<td style=\"text-align: left\"><strong>Time<\/strong><\/td>\r\n<td><strong>Duration<\/strong><\/td>\r\n<\/tr>\r\n<tr>\r\n<td>21 Aug<\/td>\r\n<td>Monday<\/td>\r\n<td>0900-17:00 ICT\/GMT+7<\/td>\r\n<td>8 Hours<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>22 Aug<\/td>\r\n<td>Tuesday<\/td>\r\n<td>0900-17:00 ICT\/GMT+7<\/td>\r\n<td>8 Hours<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>23 Aug<\/td>\r\n<td>Wednesday<\/td>\r\n<td>0900-17:00 ICT\/GMT+7<\/td>\r\n<td>8 Hours<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n\u00a0<\/div>\r\n<hr \/>\r\n<div class=\"page\" title=\"Page 3\">\r\n<div class=\"layoutArea\">\r\n<div>\r\n<div class=\"page\" title=\"Page 1\">\r\n<div class=\"section\">\r\n<div class=\"layoutArea\">\r\n<div class=\"column\">\r\n<h5 style=\"text-align: center\"><em><span style=\"color: #993300\">Full access to the PurpleLabs environment for 30 days post-training and lifetime material access with updates included!<\/span><\/em><\/h5>\r\n<hr \/><\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<div class=\"page\" title=\"Page 1\">\r\n<div class=\"section\">\r\n<div class=\"layoutArea\">\r\n<p class=\"column\">\u00a0<\/p>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<div class=\"page\" title=\"Page 3\">\r\n<div class=\"layoutArea\">\r\n<div class=\"page\" title=\"Page 1\">\r\n<div class=\"section\">\r\n<div class=\"layoutArea\">\r\n<div class=\"page\" title=\"Page 4\">\r\n<div class=\"section\">\r\n<div><strong>This training is a walkthrough of the Open Source Linux offensive and defensive techniques and tooling in 2023 that allows for chaining these TTPs together and understanding better <\/strong><strong>the threat ecosystems in Linux. I trust this project&#8217;s compilation and hands-on experience will change the way you look at hardening and low-level monitoring of your critical Linux-based <\/strong><strong>ecosystems.<\/strong><\/div>\r\n\u00a0<\/div>\r\n<div class=\"section\">\r\n<p><iframe title=\"#HITB2023HKT TRAINING - Practical Linux Rootkits for Red and Blue Team with PurpleLabs\" width=\"800\" height=\"450\" src=\"https:\/\/www.youtube.com\/embed\/nckMgKpg5Rg?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe><\/p>\r\n<h4><strong><span dir=\"ltr\" role=\"presentation\">Practical Linux Rootkits for Red <\/span><span dir=\"ltr\" role=\"presentation\">and Blue Team with PurpleLabs.<\/span><\/strong><\/h4>\r\n<div class=\"layoutArea\">This training has been created with a focus on realistic hands-on experience in analyzing user space andkernel space Linux rootkits, including recent Linux APT campaigns, C2 frameworksfor Linux with a focus on Sliver overview\/behavior, and offensive vs DFIR tooling in Linux ecosystem.<\/div>\r\n\u00a0\r\n<div class=\"layoutArea\">This training helps create and understand low-level Linux attack paths, improve your Linux detection coverage, see in action many Open Source DFIR\/defensive projects, and understand the need for Linux telemetry, especially including Kubernetes clusters where Runtime Security solutions are a must these days. The techniques and attack paths covered in this training include many different implementations of eBPF, XDP, FTRACE, KPROBE, UPROBE, NETFILTER, SYSTEMTAP, PAM, SSHD, HTTPD\/NGINX, LD_PRELOAD-based code samples and PoCs. Detection and forensics layers include LKRG, BPFTOOL, VELOCIRAPTOR, OSQUERY, cli-based \/proc\/ and \/sys\/ analysis, memory forensics with VOLATILITY FRAMEWORK with the semi-automated RAM acquisition, SYSMON, FALCO, TRACEE, SYSDIG, TETRAGON, SANDFLY SECURITY, ZEEK, SURICATA, MOLOCH\/ARKIME, YARA and more.<\/div>\r\n\u00a0\r\n<div class=\"layoutArea\">During the training, we are going to make a custom combo of both red and blue parts and we will achieve that by utilizing an Attack Flow Builder, Defender, Workbench,and Navigator for a structured format of training suitable for production uses immediately after the course.<\/div>\r\n\u00a0\r\n<div class=\"layoutArea\">We will actively discuss and play with a set of real Linux offensive use cases vs detection\/forensics view. The hands-on content has been divided into user-space and kernel-space sub-sections. When you are done, dig deeper and create your own custom attack paths, then improve your detection coverage. Purple teaming for life!<\/div>\r\n\u00a0\r\n<div class=\"layoutArea\">If you want to enhance your understanding of Linux x86\/x64 internals and stay prepared for Linux threats, this training is a must-attend! #LinuxSecurity #LiveForensics #CybersecurityTraining.<\/div>\r\n\u00a0\r\n<h5><strong><span dir=\"ltr\" role=\"presentation\">Topics Covered<\/span><\/strong><\/h5>\r\n<div class=\"layoutArea\"><br role=\"presentation\" \/><strong><span dir=\"ltr\" role=\"presentation\">Intro:<\/span><\/strong><\/div>\r\n<ul>\r\n<li class=\"layoutArea\"><span dir=\"ltr\" role=\"presentation\">Current Linux threat landscape and APT analysis (2022\/2023)<\/span><\/li>\r\n<li class=\"layoutArea\"><span dir=\"ltr\" role=\"presentation\">General Linux rootkit types and behaviors<\/span><\/li>\r\n<li class=\"layoutArea\"><span dir=\"ltr\" role=\"presentation\">PurpleLabs Hunting\/Detection\/DFIR components Fast Track: <\/span><\/li>\r\n<\/ul>\r\n<div class=\"layoutArea\" style=\"padding-left: 40px\"><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Falco<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Tracee<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Sysdig<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Sysmon4Linux<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">syslog<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">LKRG<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">SELinux<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">bpftool<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Velociraptor<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">OSquery<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Sand<\/span><span class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">fl<\/span><\/span><span dir=\"ltr\" role=\"presentation\">y Security<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Volatility Framework + semi+automated memory acquisition<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">uac<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">auditd<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Yara rules<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Wazuh<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Zeek<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Suricata<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Moloch\/Arkime<\/span><\/div>\r\n<div>\u00a0<\/div>\r\n<div class=\"layoutArea\"><br role=\"presentation\" \/><strong><span dir=\"ltr\" role=\"presentation\">User Space Rootkits Attack\/Detection Hands-On:<\/span><\/strong><\/div>\r\n<div>\u00a0<\/div>\r\n<div class=\"layoutArea\" style=\"padding-left: 40px\"><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Shared Library Injection <br \/><\/span><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Socket Command Injection <br \/><\/span><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">ELF injection with ptrace()<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">ELF injection without ptrace()<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">In-memory exec with DDExec<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">In-memory execution with memrun<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">memfd_vs_no_exec<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Dynamic Linker Preloading<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Zombie Ant Pypreloader<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Linux ELF Loader\/Crypter<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">MSF Shellcode from bash<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">SSHD injection<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">PAM-based Rootkits #1<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">PAM-based Rootkits #2<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">PAM-based Rootkits #3<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Yum\/RPM Persistence<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Malicious RPM\/DEB<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">HTTPD Rootkits #1<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">HTTPD Rootkits #2<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Webshells: SOCKS from JSP<\/span><\/div>\r\n<div>\u00a0<\/div>\r\n<div>\u00a0<\/div>\r\n<div class=\"layoutArea\"><strong><span dir=\"ltr\" role=\"presentation\">Kernel Space rootkits Attack\/Detection Hands-On:<\/span><\/strong><\/div>\r\n<div class=\"layoutArea\" style=\"padding-left: 40px\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Fileless LKM loading<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">call_usermodehelper()<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Reptile Analysis<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Suterusu Analysis<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Reveng_rtkit Analysis<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">iptables evil bit<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">systemtap creds() upgrade <br \/><\/span><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Net<\/span><span class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">fi<\/span><\/span><span dir=\"ltr\" role=\"presentation\">lter hooking #1 <br \/><\/span><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">xt_conntrack.ko Infection<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Ftrace Hooking #1<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">eBPF bad-bpf trip<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">XDP UDP Magic Packet<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">eBPF hooking \/ TripleCross Analysis<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">eBPF SSL\/TLS capturing<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">eBPF Raw Tracepoint Interception<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">eBPF PAM creds stealing<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">eBPF bpfdoor Analysis<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">eBPF Boopkit Analysis<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">ebpfkit Analysis<\/span><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">\u25cb<\/span> <span dir=\"ltr\" role=\"presentation\">Randomized Faulter<\/span><\/div>\r\n<div>\u00a0<\/div>\r\n<div>\u00a0<\/div>\r\n<div class=\"layoutArea\"><span dir=\"ltr\" role=\"presentation\">The training content focuses on Linux Rootkits vs Detection\/DFIR and is a <\/span><span dir=\"ltr\" role=\"presentation\">special \u2018Rootkit Oriented-only\u2019 training session based on the full material of <\/span><span dir=\"ltr\" role=\"presentation\">the \u2018Linux Attack and Live Forensics At Scale\u2019 course:<\/span><\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<ul>\r\n<li><a href=\"https:\/\/edu.defensive-security.com\/linux-attack-live-forensics-at-scale\"><span dir=\"ltr\" role=\"presentation\">https:\/\/edu.defensive-security.com\/linux-attack-live-forensics-at-scale<\/span><\/a>\r\n<div class=\"page\" title=\"Page 1\">\r\n<div class=\"section\">\r\n<div class=\"layoutArea\">\r\n<div class=\"page\" title=\"Page 4\">\u00a0<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/li>\r\n<\/ul>\r\n<p>&nbsp;<\/p>\r\n<h5><strong><span dir=\"ltr\" role=\"presentation\">Benefits for Red Teams<\/span><\/strong><\/h5>\r\n<ul>\r\n<li><span dir=\"ltr\" role=\"presentation\">Understand the advantages and values of the purple teaming <\/span><span dir=\"ltr\" role=\"presentation\">approach in the Linux red\/blue ecosystem<\/span><\/li>\r\n<li><span dir=\"ltr\" role=\"presentation\">Learn about the full scope of Linux offensive techniques, tools, and <\/span><span dir=\"ltr\" role=\"presentation\">the newest community research 2023<\/span><\/li>\r\n<li><span dir=\"ltr\" role=\"presentation\">Learn about different detection\/response tools and techniques vs <\/span><span dir=\"ltr\" role=\"presentation\">attacks<\/span><\/li>\r\n<li><span dir=\"ltr\" role=\"presentation\">Learn how to hide effectively in the Linux OS and how to exfiltrate <\/span><span dir=\"ltr\" role=\"presentation\">data in stealthy ways<\/span><\/li>\r\n<li><span dir=\"ltr\" role=\"presentation\">Learn how to deploy and use C2, low-level rootkits and see this <\/span><span dir=\"ltr\" role=\"presentation\">reflected in the detection\/DFIR tooling<\/span><\/li>\r\n<li><span dir=\"ltr\" role=\"presentation\">Get code and command snippets ready to use during your red team <\/span><span dir=\"ltr\" role=\"presentation\">and adversary operations\/emulations<\/span><\/li>\r\n<li><span dir=\"ltr\" role=\"presentation\">Get experience with Sigma Rules\/Protections Artifacts for staying <\/span><span dir=\"ltr\" role=\"presentation\">stealthier and improving your defense evasion skills at scale<\/span><\/li>\r\n<\/ul>\r\n<p>&nbsp;<\/p>\r\n<h5><strong><span dir=\"ltr\" role=\"presentation\">Benefits for Blue Teams\/DFIR<\/span><\/strong><\/h5>\r\n<ul>\r\n<li><span dir=\"ltr\" role=\"presentation\">Understand the advantages and values of the purple teaming <\/span><span dir=\"ltr\" role=\"presentation\">approach in the Linux ecosystem<\/span><\/li>\r\n<li><span dir=\"ltr\" role=\"presentation\">Learn about the full scope of Linux Detection\/Forensics techniques, <\/span><span dir=\"ltr\" role=\"presentation\">tools, and the newest community research <\/span><\/li>\r\n<li><span dir=\"ltr\" role=\"presentation\">Understand the structures of advanced Linux attack paths, how they <\/span><span dir=\"ltr\" role=\"presentation\">really work, and how to protect<\/span><\/li>\r\n<li><span dir=\"ltr\" role=\"presentation\">Learn about different offensive tools that you can use against <\/span><span dir=\"ltr\" role=\"presentation\">hackers<\/span><\/li>\r\n<li><span dir=\"ltr\" role=\"presentation\">See the effectiveness of Detection tooling vs attacks emulations<\/span><\/li>\r\n<li><span dir=\"ltr\" role=\"presentation\">Get experience with Sigma Rules for a better understanding of the <\/span><span dir=\"ltr\" role=\"presentation\">logic behind attacks and needed telemetry <\/span><\/li>\r\n<\/ul>\r\n<p>&nbsp;<\/p>\r\n<h5><strong><span dir=\"ltr\" role=\"presentation\">Benefits for <\/span><span dir=\"ltr\" role=\"presentation\">DevOps\/SecOps\/Admins<\/span><\/strong><\/h5>\r\n<ul>\r\n<li><span dir=\"ltr\" role=\"presentation\">This knowledge will change the way you look at hardening and <\/span><span dir=\"ltr\" role=\"presentation\">monitoring your Linux ecosystems<\/span><\/li>\r\n<li><span dir=\"ltr\" role=\"presentation\">Recognize security-related enhancements in the modern Linux kernel<\/span><\/li>\r\n<li><span dir=\"ltr\" role=\"presentation\">Understand current kernel components and programming interfaces <\/span><span dir=\"ltr\" role=\"presentation\">used to compromise a system<\/span><\/li>\r\n<li><span dir=\"ltr\" role=\"presentation\">Discover recommended Open Source Security solutions against <\/span><span dir=\"ltr\" role=\"presentation\">actual hands-on attacks<\/span><\/li>\r\n<li><span dir=\"ltr\" role=\"presentation\">Learn about the full scope of Linux Detection\/DFIR techniques, tools, <\/span><span dir=\"ltr\" role=\"presentation\">and the newest community research<\/span><\/li>\r\n<li><span dir=\"ltr\" role=\"presentation\">Understand the advantages and values of the purple teaming <\/span><span dir=\"ltr\" role=\"presentation\">approach in the Linux red\/blue scope<\/span><\/li>\r\n<li><span dir=\"ltr\" role=\"presentation\">Gain experience in managing many different detection and visibility <\/span><span dir=\"ltr\" role=\"presentation\">layers<\/span><\/li>\r\n<\/ul>\r\n<p>&nbsp;<\/p><h5><strong>What students say about this training<\/strong>:<\/h5>\r\n<p style=\"padding-left: 40px\"><em><span style=\"color: #993366\">&#8220;The content of in and out was great. Lots of gained knowledge and hands on!&#8221;<\/span><\/em><\/p>\r\n<p style=\"padding-left: 40px\"><em><span style=\"color: #993366\">\u201cGreat course! A truly huge number of topics and tools covered&#8221;<\/span><\/em><\/p>\r\n<p style=\"padding-left: 40px\"><em><span style=\"color: #993366\">&#8220;Leszek was a really good trainer, he covered a lot of material, and had a very good personality.&#8221; <\/span><\/em><\/p>\r\n<p style=\"padding-left: 40px\"><em><span style=\"color: #993366\">&#8220;Leszek Mi\u015b is very knowledgeable in the topics covered in the course. He also shares real life scenarios which were useful for participants to better understand application of material presented. The content was very good, it covers many leading open source projects which I find useful. I would recommend this course to my colleagues&#8221;<\/span><\/em><\/p><p>&nbsp;<\/p>\r\n<h5><strong>PurpleLabs Values:<\/strong><\/h5>\r\n<h5><\/h5>\r\n<p>This training is based on the PurpleLabs Cyber Range Playground. It\u2019s a dedicated, virtual infrastructure for detecting and analyzing the behavior of attackers in terms of the techniques, tactics, procedures, and used offensive tools. The environment is to serve the continuous improvement of competences in the field of threat hunting and learning about current trends from offensive scope (red-teaming) vs direct detection perspective (blue-teaming) and DFIR. By providing high-quality training materials with the lab environment in a scalable online format, we want to enable businesses to improve the detection capacity of their SOC teams and achieve better visibility and resistance to attacks. Having hands dirty with PurpleLabs will allow you to:<\/p><ul class=\"wp-block-list\"><li>Develop the team&#8217;s analytical skills required to work in the Security Operation Center environment<\/li>\r\n<li>Increase awareness of the complexity and dependencies between the elements of the APT campaigns, malware and the areas of detection<\/li>\r\n\r\n<li>Deliver a periodic knowledge transfer and systematic expansion of team competences in the field of Red + Blue = Purple teaming<\/li>\r\n\r\n<li>Acquire Attack Paths \/ Attack Lifecycles and Security Event Chains skills by combining attacker\u2019s single techniques, tactics and procedures (Chain Attack Scenarios)<\/li>\r\n\r\n<li>Understand the value of the Assume Breach approach and simulation of threats after early access (C2, post-exploitation, Lateral Movement, Persistence, Evasion)<\/li>\r\n\r\n<li>Understand what threat hunting is and why it is important<\/li>\r\n\r\n<li>Understand proactive DFIR and why it is important<\/li>\r\n\r\n<li>Acquire skills related to generating suspicious events on the layer of network and Windows and Linux operating systems and methods of their detection<\/li>\r\n\r\n<li>Understand the potential of Sigma rules and their values for SIEM solutions.<\/li>\r\n\r\n<li>Run a validation of the current security status of the organization&#8217;s network and the risks involved<\/li>\r\n\r\n<li>Obtain knowledge on supplying\/creating a complete SOC environment using Open Source software.<\/li><\/ul><p>&nbsp;<\/p><h5><strong>About Defensive Security<\/strong><\/h5>\r\n<p>Defensive Security delivers high-quality cyber security services including Linux \/ Windows digital forensics, incident response, latest threat analysis, and hunting, penetration testing, and infrastructure hardening. We successfully deliver a combination of Threat\/Adversary Emulations vs network\/endpoint investigations and log analysis at scale which is known as Purple Teaming.<\/p><p>Defensive Security offers advanced, hands-on cyber security training programs backed by PurpleLabs &#8211; a fully customized Cyber Range Environment enriched by step-by-step offensive\/defensive lab instructions. Want to sharpen your Purple team skills? Try PurpleLabs where you will be playing with chained attack paths, emulating attacker&#8217;s TTPs, and running detection\/response at the same time by using Sysmon and EVTX, Auditd, Wazuh, Graylog, HELK, ElastAlert, Falco, OSQuery, Velociraptor, Zeek, Suricata, Moloch FPC, Volatility Framework, theHive, MISP, and Sigma Rules.<\/p><p>Our mission is to help organizations have more secure infrastructures, better utilize Open Source software in Security Operations, and enable businesses to improve the detection capacity and skills of their SOC\/IR teams.<\/p><p>We are trusted by the biggest customers from the private, oil and gas, insurance, and financial sector. It was an honor for us to conduct training workshops during the biggest conferences including Hack In The Box, BruCON, 44CON, OWASP AppSec US, and Black Hat US.<\/p><p>Our almost 20 years of hands-on experience with Open Source Security Solutions go directly into the full spectrum of technology solutions to support customers achieving better visibility and detections, improving offensive and defensive Red \/ Blue and Purple team skills, validating defensive technology stacks, and helping understand the value of the Assume Breach approach and emulation of threats after getting initial access (C2, post-exploitation, Lateral Movement, Persistence, Evasion).<\/p>","protected":false},"excerpt":{"rendered":"<p>ATTEND IN-PERSON: Onsite in Phuket DATE: 21-23 August 2023 TIME: 09:00 to 17:00 ICT\/GMT+7 Date Day Time Duration 21 Aug Monday 0900-17:00 ICT\/GMT+7 8 Hours 22 Aug Tuesday 0900-17:00 ICT\/GMT+7 8 Hours 23 Aug Wednesday 0900-17:00 ICT\/GMT+7 8 Hours \u00a0 Full access to the PurpleLabs environment for 30 days post-training and lifetime material access with [&hellip;]<\/p>\n","protected":false},"featured_media":11752,"template":"","meta":{"_acf_changed":false},"product_cat":[61,77,57],"product_tag":[],"class_list":{"0":"post-12429","1":"product","2":"type-product","3":"status-publish","4":"has-post-thumbnail","6":"product_cat-3-day-training","7":"product_cat-hitb2023hkt","8":"product_cat-in-person","10":"first","11":"instock","12":"featured","13":"shipping-taxable","14":"purchasable","15":"product-type-simple"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Practical Linux Rootkits for Red and Blue Team with PurpleLabs - HITB (in)Cyber 2024 - Abu Dhabi<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Practical Linux Rootkits for Red and Blue Team with PurpleLabs - HITB (in)Cyber 2024 - Abu Dhabi\" \/>\n<meta property=\"og:description\" content=\"ATTEND IN-PERSON: Onsite in Phuket DATE: 21-23 August 2023 TIME: 09:00 to 17:00 ICT\/GMT+7 Date Day Time Duration 21 Aug Monday 0900-17:00 ICT\/GMT+7 8 Hours 22 Aug Tuesday 0900-17:00 ICT\/GMT+7 8 Hours 23 Aug Wednesday 0900-17:00 ICT\/GMT+7 8 Hours \u00a0 Full access to the PurpleLabs environment for 30 days post-training and lifetime material access with [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/\" \/>\n<meta property=\"og:site_name\" content=\"HITB (in)Cyber 2024 - Abu Dhabi\" \/>\n<meta property=\"article:modified_time\" content=\"2023-07-26T04:37:32+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-content\/uploads\/sites\/21\/2023\/03\/leszek.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/\",\"name\":\"Practical Linux Rootkits for Red and Blue Team with PurpleLabs - HITB (in)Cyber 2024 - Abu Dhabi\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-content\/uploads\/sites\/21\/2023\/03\/leszek.jpg\",\"datePublished\":\"2023-06-12T07:03:25+00:00\",\"dateModified\":\"2023-07-26T04:37:32+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/#primaryimage\",\"url\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-content\/uploads\/sites\/21\/2023\/03\/leszek.jpg\",\"contentUrl\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-content\/uploads\/sites\/21\/2023\/03\/leszek.jpg\",\"width\":1200,\"height\":900},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Shop\",\"item\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/shop\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Practical Linux Rootkits for Red and Blue Team with PurpleLabs\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/\",\"name\":\"HITB (in)Cyber 2024 - Abu Dhabi\",\"description\":\"May 14 - 16, Etihad Arena \",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Practical Linux Rootkits for Red and Blue Team with PurpleLabs - HITB (in)Cyber 2024 - Abu Dhabi","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/","og_locale":"en_US","og_type":"article","og_title":"Practical Linux Rootkits for Red and Blue Team with PurpleLabs - HITB (in)Cyber 2024 - Abu Dhabi","og_description":"ATTEND IN-PERSON: Onsite in Phuket DATE: 21-23 August 2023 TIME: 09:00 to 17:00 ICT\/GMT+7 Date Day Time Duration 21 Aug Monday 0900-17:00 ICT\/GMT+7 8 Hours 22 Aug Tuesday 0900-17:00 ICT\/GMT+7 8 Hours 23 Aug Wednesday 0900-17:00 ICT\/GMT+7 8 Hours \u00a0 Full access to the PurpleLabs environment for 30 days post-training and lifetime material access with [&hellip;]","og_url":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/","og_site_name":"HITB (in)Cyber 2024 - Abu Dhabi","article_modified_time":"2023-07-26T04:37:32+00:00","og_image":[{"width":1200,"height":900,"url":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-content\/uploads\/sites\/21\/2023\/03\/leszek.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/","url":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/","name":"Practical Linux Rootkits for Red and Blue Team with PurpleLabs - HITB (in)Cyber 2024 - Abu Dhabi","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/#website"},"primaryImageOfPage":{"@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/#primaryimage"},"image":{"@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/#primaryimage"},"thumbnailUrl":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-content\/uploads\/sites\/21\/2023\/03\/leszek.jpg","datePublished":"2023-06-12T07:03:25+00:00","dateModified":"2023-07-26T04:37:32+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/#primaryimage","url":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-content\/uploads\/sites\/21\/2023\/03\/leszek.jpg","contentUrl":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-content\/uploads\/sites\/21\/2023\/03\/leszek.jpg","width":1200,"height":900},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/product\/practical-linux-rootkits-hitb2023hkt\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbincyber2024\/"},{"@type":"ListItem","position":2,"name":"Shop","item":"https:\/\/conference.hitb.org\/hitbincyber2024\/shop\/"},{"@type":"ListItem","position":3,"name":"Practical Linux Rootkits for Red and Blue Team with PurpleLabs"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/#website","url":"https:\/\/conference.hitb.org\/hitbincyber2024\/","name":"HITB (in)Cyber 2024 - Abu Dhabi","description":"May 14 - 16, Etihad Arena ","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbincyber2024\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/product\/12429"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/product"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/types\/product"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/media\/11752"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/media?parent=12429"}],"wp:term":[{"taxonomy":"product_cat","embeddable":true,"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/product_cat?post=12429"},{"taxonomy":"product_tag","embeddable":true,"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/product_tag?post=12429"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}